Transcription

2 Learning Objectives 2 To understand the concept of Business Continuity Management To understand the key phases and components of a Business Continuity Plan To understand the key aspects of Business Continuity Plan implementation To learn about Back-up and Disaster Recovery Planning To learn how to audit a Business Continuity Plan

3 Task Statements 3 To design, develop, implement, test, maintain and audit all key phases and components of a Business Continuity Plan in an enterprise To conduct Risk assessment and Business Impact Assessment

4 Knowledge Statements 4 To understand the concepts and components of Business Continuity Management To know the development of Business Continuity Plans, Disaster Recovery Plans; Emergency Plans etc To know the different phases and components of Business Continuity Plan

9 4.1 Introduction 9 Manage disruption of all kinds Business Continuity Management (BCM) is an effective management process to To ensure effective implementation of BCM, an enterprise should conduct regular internal audits at planned intervals Provide countermeasures to safeguard BCM facilitate understanding of the concept, planning, implementation and continuous improvements of Business Continuity Plans (BCP)

10 4.2 Need for BCM 10 Key terms Business Contingency An event with the potential to disrupt computer operations, thereby disrupting critical mission and business functions Eg. power outage, hardware failure, fire, or storm. If the event is very destructive, it is often called a disaster

11 4.2 Need for BCM 11 Key terms BCP Process A process designed to reduce the risk to an enterprise from an unexpected disruption of its critical functions and assure continuity of minimum level of services necessary for critical operations Purpose is to ensure that vital business functions (critical business operations) are recovered and operationalized within an acceptable timeframe

13 Related Terms 13 Asset Vulnerability Threat Exposure Likelihood Attack Risk Countermeasure Residual Risk - Something of value to organisation - Weakness in system safeguards - Potential to harm the system - Extent of loss when risk materializes - Probability that threat will succeed - Set of actions designed to compromise CIA - Potential harm if a threat exploits a vulnerability - Measure that reduces vulnerability of a system - Risk still remaining after the counter measures

14 What is BCP? 14 Process designed to reduce the organization s business risk Much more than just a plan for the information systems

15 15 Risks of inadequate BCP Inadequate BCP could result in risks Inability to maintain critical customer services Damage to market share, reputation or brand Failure to protect Assets including IP and personnel Business control failure Failure to meet contractual or regulatory requirements

16 BCP Manual 16 Documented description of actions to be taken Resources to be used and Procedures to be followed before, during and after a disruptive event. BCP Manual specifies the responsibilities of the BCM team which serve as liasoning teams between the functional area(s) affected and other departments providing support services in the event of an incident or disaster.

17 BCP Manual 17 BCM is a framework that Proactively improves an enterprise s resilience against the disruption of its ability to achieve its key objectives. Provides a rehearsed method of restoring an enterprise s ability to supply its key products and services to an agreed level within an agreed time after a disruption. Delivers a proven capability to manage a business disruption and protect the enterprise s reputation and brand.

18 Scope of Business Continuity 18 Top management needs to define the scope of the BCM program It involves identifying key products and services that support enterprise s objectives, obligations and statutory duties in line with the threat scenario and the business impact analysis (BIA) In case of an outsourced service or activity, the risk accountability remains with the enterprise

19 Advantage of Business Continuity 19 Ability to proactively assess the threat scenario and potential risks Planned response to disruptions which can contain the damage and minimize the impact on the enterprise Ability to demonstrate a response through a process of regular testing and trainings

20 4.3 BCM Policy 20 A high level document To make a systematic approach for disaster recovery To bring about awareness among the persons in scope about the business continuity aspects and its importance To test and review the business continuity planning for the enterprise in scope. Developing the BCM policy involves Defining the scope Defining the BCM principles, guidelines and minimum standards

21 4.3 BCM Policy 21 Objective of this policy is to provide a structure through which Critical services and activities will be identified. Plans will be developed to ensure continuity of key service delivery following a business disruption. Invocation of incident management and business continuity plans can be managed. Incident management and business continuity plans are subject to ongoing testing, revision and updation. Planning and management responsibility are assigned to a member of the relevant senior management team.

22 4.4 Business Continuity Planning 22 Business Continuity Planning (BCP) is the Creation and validation of a practical logistical plan For how an organization Will recover and restore partially or Completely interrupted critical (urgent) functions Within a predetermined time after a disaster or extended disruption.

23 Business Continuity Areas 23 Business resumption planning The operation s piece of business continuity planning Disaster recovery planning The technological aspect of business continuity planning Crisis management The overall coordination of an organization's response to a crisis in an effective timely manner

24 DR and BC Disaster Recovery Disaster recovery focuses on the IT or technology systems that support business functions. It is a subset of business continuity. BCM Disaster Recovery Business Continuity 24

25 Elements of Business Continuity Disaster Recovery Recover mission-critical technology and applications at an alternate site. Business Recovery Recover the business process at an alternate site. Workspace recovery. Contingency Planning To manage an external event that has far-reaching impact on the business. 25

27 Objectives and Goals of BCP 27 Primary Objectives of BCP To minimize loss by minimizing the cost associated with disruptions To enable an organisation to survive a disaster To re-establish normal business operations

28 Objectives and Goals of BCP 28 Key Objectives of Contingency Plan Provide for the safety and well-being of people on the premises at the time of disaster Continue critical business operations Minimise the duration of a serious disruption to operations and resources Minimise immediate damage and losses

30 Objectives and Goals of BCP 30 Goals of Business Continuity Plan Identify weaknesses and implement a disaster prevention program Minimise the duration of a serious disruption to business operations Facilitate effective co-ordination of recovery tasks Reduce the complexity of the recovery effort

31 Questions Discuss the objectives and goals of Business Continuity planning. 6. (c) What are the goals of Business Continuity Plan? (5 Marks) (Nov 2008) 4 Marks (Nov. 2012) 1. c) What is meant by Business Continuity Planning? Explain the areas covered by Business Continuity. (5 Marks) (Nov. 2010)

32 Answer 32 The primary objective of a business continuity planning is to enable an organization To survive in a disaster and To re-establish normal business operations. In order to survive, the organization must assure that critical operations can resume normal processing within a reasonable time frame.

33 Answer 33 The key objectives of the contingency plan should be to: Provide for the safety and well-being of people on the premises at the time of disaster Continue critical business operations Minimise the duration of a serious disruption to operations and resources (both information processing and other resources) Minimise immediate damage and losses

35 Answer 35 Therefore, the goals of the business continuity plan should be to Identify weaknesses and implement a disaster prevention program Minimise the duration of a serious disruption to business operations Facilitate effective co-ordination of recovery tasks Reduce the complexity of the recovery effort.

38 38 Phase 1 Pre-Planning Activities (Project Initiation) Obtain an understanding of the existing and projected systems environment Enables the project team to: A Steering Committee is established with the overall responsibility for providing direction and guidance to the project team. Refine the scope of business continuity planning, associated work program Develop project schedules Identify and address any issues that could have an impact on the project

39 39 Phase 1 Pre-Planning Activities (Project Initiation) Business Continuity Manager works with the Steering Committee in finalising the detailed work plan and developing schedules for conducting Security Assessment and Business Impact Analysis (BIA). Two other key deliverables are: Development of a policy to support the recovery programs An awareness program to educate management and senior individuals.

41 41 Phase 2 Vulnerability Assessment and General Definition of Requirement General definition of Requirement Define the scope of the planning effort. Acquire recovery planning and maintenance software. Develop a Plan Framework. Assemble business continuity team and conduct awareness sessions.

42 Phase 3 Business Impact Assessment 42 Identify critical systems, processes and functions Assess the economic impact of incidents and disasters Assess the pain threshold - the length of time business units can survive without access to the system, services and facilities

43 43 Phase 4 Detailed Definition of Requirements To be used as a basis for analysing alternative recovery strategies A profile of recovery requirements is developed: By identifying resources required to support critical functions Recovery strategies will be based on short term, intermediate term and long term outages Includes hardware, software, documentation, outside support, facilities and personnel for each business unit. Another key deliverable of this phase is the definition of the plan scope, objectives and assumptions.

44 Phase 5 Plan Development 44 The recovery plans components are defined and plans are documented It includes the implementation of changes to user procedures, operating procedures, vendor contract negotiations and definition of Recovery Teams Recovery standards are also developed during this phase

45 Phase 6 Testing Program 45 Testing/exercising goals are established Alternative testing strategies are evaluated Testing strategies tailored to environment are selected An on-going testing program is established

46 Phase 7 Maintenance Program 46 Maintenance of the plans is critical to the success of an actual recovery The plans must reflect changes to the environments Change management procedures will be recommended and implemented Many recovery software products take this requirement into account

49 49 Answer The methodology for developing a business continuity plan can be sub-divided into eight different phases. The extent of applicability of each of the phases has to be tailored to the respective organisation. The methodology emphasises on the following: Providing management with a comprehensive understanding of the total efforts required to develop and maintain an effective recovery plan Obtaining commitment from appropriate management to support and participate in the effort

50 Answer 50 Defining recovery requirements from the perspective of business functions Documenting the impact of an extended loss to operations and key business functions Focusing appropriately on disaster prevention and impact minimisation, as well as orderly recovery Selecting business continuity teams that ensure the proper balance required for plan development

51 51 Answer Developing a business continuity plan that is understandable, easy to use and maintain Defining how business continuity considerations must be integrated into ongoing business planning and system development processes in order that the plan remains viable over time.

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

Business Continuity Management Version 1 approved by SMG December 2013 Business Continuity Policy Version 1 1 of 9 Business Continuity Management Summary description: This document provides the rationale

Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

Business Continuity Is your Business Prepared for the worse? Major emergencies can develop suddenly without warning. Situations can threaten and disrupt your business and impact upon you and your staff.

Annex A Business Continuity Management Programme Business Continuity Management Policy 1. Introduction This Business Continuity Management (BCM) Policy defines the scope of the SPCB s ability to maintain

whitepaper Why Should Companies Take a Closer Look at Business Continuity Planning? How Datalink s business continuity and disaster recovery solutions can help organizations lessen the impact of disasters

AUDITING A BCP PLAN Thomas Bronack Auditing a BCP Plan presentation Page: 1 What are the Objectives of a Good BCP Plan Protect employees Restore critical business processes or functions to minimize the

Statement of Guidance Business Continuity Management All Licensees 1. Statement of Objectives 1.1. To enhance the resilience of the financial sector and to minimise the potential impact of a major operational

Overview Information security business resilience encompasses business continuity and disaster recovery from information security threats. As well as addressing the consequences of a major security incident,

Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain

Emergency Response and Business Continuity Management Policy Owner: John Duffy, Registrar & Secretary Last updated: September 2012 Version: 04 Document control Date Version Author Changes To be populated

Company Management System Business Continuity in SIA Document code: Classification: Company Project/Service Year Document No. Version Public INDEX 1. INTRODUCTION... 3 2. SIA S BUSINESS CONTINUITY MANAGEMENT

Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3

Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions

Business Continuity Planning 101 Presentation Overview What is business continuity planning Plan Development Plan Testing Plan Maintenance Future advancements in BCP Question & Answer What is a Disaster?

ECP - 601: Effective Business Continuity Management: ISO 22301 This 3-day course provides an intensive, hands-on workshop covering all major aspects for the design of an effective Business Continuity Plan

University of Michigan Disaster Recovery / Business Continuity Administrative Information Systems. 1 Michigan Administrative Information Services (MAIS) MAIS is responsible for the production support of

Management Policy and Framework Version: Produced by: Date Produced: Approved by: Updated: 7 University Manager with the assistance of the Operational Group 11 th March 2010 Steering Group (14 December

Business Continuity Planning Definition Business Continuity planning is a planning process designed to reduce the risk that disruptive failures or events could seriously harm your business. It is designed

WEST YORKSHIRE FIRE & RESCUE SERVICE Business Continuity Management Strategy Date Issued: 12 November 2012 Review Date: 12 November 2015 Version Control Version Number Date Author Comment 0.1 June 2011

1. An Introduction This presentation will introduce you to the concepts and terminology related to disaster recovery planning for businesses. This presentation was prepared by the South Central Economic

Prudential Standard LPS 232 Business Continuity Management Objective and key requirements of this Prudential Standard This Prudential Standard aims to ensure that each life company implements a whole of

Business Continuity Management in Local Government Victorian Auditor-General s Report September 2010 2010-11:6 V I C T O R I A Victorian Auditor-General Business Continuity Management in Local Government

WHITE PAPER Business Continuity and Disaster Planning A guide to preparing for the unexpected Robert Drewniak Director, Strategic & Advisory Services Disasters are not always the result of high winds and

Business Continuity Planning We believe all organisations recognise the importance of having a Business Continuity Plan, however we understand that it can be difficult to know where to start. That s why

External Supplier Control Requirements BCM BCM Requirement Description BCM Tiers Recovery Time Objective Why this is important 1. Business Continuity Policy Supplier will have a documented Business Continuity

HEALTH AND SOCIAL CARE BOARD POLICY ON BUSINESS CONTINUITY MANAGEMENT February 2012 1 Role of the Health and Social Care Board The role of the Health and Social Care Board (the Board) is broadly contained

What is a COOP? Continuity of Operations Planning A step by step guide for business A Continuity Of Operations Plan (COOP) is a MANAGEMENT APPROVED set of agreed-to preparations and sufficient procedures

BUSINESS CONTINUITY AND DISASTER RECOVERY The purpose of this Guidance Note The main points it covers To assist participants to understand the disaster recovery and business continuity arrangements they

BUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE Introduction 1. Recently many organisations both public and private have directed much more time, money and effort towards protecting service